Gurvirender Tejay

Developing insider attack detection model: A grounded approach

Insider threats and attacks are a known problem. Within an enterprise it is very difficult to detect and identify insider attacks and abuse against Information Systems. A study was conducted by observing a group of IS security analysts who detect and identify insider attacks. Commonalities and generalizations were made based on the study to create an insider attack detection model. This model will allow other IS security analysts the ability to increase detection of insider attacks and reduce false positives.

Building a better password: The role of cognitive load in information security training

User passwords are the gateway to an organizations assets. When users are the agents selecting passwords, they are the key component to improving passwords. Users must be persuaded to select passwords difficult to compromise. User behavior can be influenced by information security training. This study examines the use of cognitive load theory to design the information security training on password strength. The comprehension of training is measured by an examination of passwords selected after the training.

A Confirmatory Analysis of Information Systems Security Success Factors

Information security has received a great deal of attention from a number of researchers. However, there has been little research aimed at understanding the dimensions - within the organizational context - of information security success. The current study reviews a large body of information security literature and organizes the research based on the research findings. This structure is used to develop factors composing information security success. The dimensions are tested using survey-based methodology and Confirmatory Factor Analysis. Findings indicating mixed levels of model fit are presented, with indicators above and below levels of confidence, implying a need for further iterative study.

Information system security commitment

This paper investigated how senior management is motivated to commit to information system (IS) security. Research shows senior management participation is critical to successful IS security, but has not explained how senior managers are motivated to participate in IS security. Information systems research shows pressures external to the organization have greater influence on senior managers than internal pressures. However, research has not fully examined how external pressures motivate senior management participation in IS security. This study addressed that gap by examining how external pressures motivate senior management participation in ISS through the lens of neo-institutional theory. The research design was survey research. Data collection was through an online survey, and PLS was used for data analysis. Sample size was 167 from a study population of small- and medium-sized enterprises (SMEs) in a mix of industries in the south-central United States. Results supported three of six hypotheses. Mimetic mechanisms were found to influence senior management belief in IS security, and senior management belief in IS security was found to increase senior management participation in IS security. Greater senior management participation in IS security led to greater IS security assimilation in organizations. Three hypotheses were not supported. Correlation was not found between normative influences and senior management belief, normative influences and senior management participation, and coercive influences and senior management participation. This study shows IS security-related mimetic influences have greater impact on senior leaders of SMEs than coercive or normative influences, which may be explained by the absorptive capacity of SMEs. Absorptive capacity refers to the ability of an organization to assimilate a technology. However, absorptive capacity may affect more than just technology assimilation, and may extend to how senior management responds to external influences.

A fuzzy logic-based information security control assessment for organizations

For organizations, security of information is eminent as threats of information security incidents that could impact the information continue to increase. Alarming facts within the literature support the current lack of adequate information security practices and prompt for identifying additional methods to help organizations in protecting their sensitive and critical information. Research efforts shows inadequacies within traditional ISC assessment methodologies that do not promote an effective assessment, prioritization, and, therefore, implementation of ISC in organizations. This research-in-progress relates to the development of a tool that can accurately prioritize ISC in organizations. The tool uses fuzzy set theory to allow for a more accurate assessment of imprecise parameters than traditional methodologies. We argue that evaluating information security controls using fuzzy set theory leads to a more detailed and precise assessment and, therefore, supports an effective selection of information security controls in organizations.

Theorizing Information Security Success: Towards Secure E-Government

As information systems become more pervasive within organizations, securing their associated information assets has become a topic of extensive research. However, minimal research has been focused on understanding the dimensions of information systems security within an organizational context. This study organizes a considerable body of information systems security literature based on their findings, and the authors identify core dimensions of information system security success and operationalize them as a model to predict success with information security initiatives. The utility of the proposed model is evaluated for the e-Government context and emergent issues for research and practice are discussed.

Investigating the Effectiveness of IS Security Countermeasures towards Cyber Attacker Deterrence

The efficacy of information system security countermeasures upon the deterrence of external cyber attackers has not yet been examined. As a result, organizations spend large sums of budgetary dollars upon countermeasures without knowledge of their effects upon the hackers who are waging the attacks. These countermeasures can be divided into two categories, both of which can be located inside or outside of the organization: active countermeasures, which directly inhibit or prevent an attack, and passive countermeasures, which obtain information about the attackers themselves. Using these categories, a framework of information system security countermeasures available to organizations was developed. The framework was evaluated in light of data collected from hacker bulletin boards to determine the effects of information system security countermeasures upon the intentions of these attackers to engage in their attacks.

Securing IS assets through hacker deterrence: A case study

Computer crime is a topic prevalent in both the research literature and in industry, due to a number of recent high-profile cyber attacks on e-commerce organizations. While technical means for defending against internal and external hackers have been discussed at great length, researchers have shown a distinct preference towards understanding deterrence of the internal threat and have paid little attention to external deterrence. This paper uses the criminological thesis known as Broken Windows Theory to understand how external computer criminals might be deterred from attacking a particular organization. The theorys focus upon disorder as a precursor to crime is discussed, and the notion of decreasing public IS disorder to create the illusion of strong information systems security is examined. A case study of a victim e-commerce organization is reviewed in light of the theory and implications for research and practice are discussed.

Introduction to Cybercrime in the Digital Economy Minitrack

The advent of the Internet and the diffusion of computer technologies worldwide have resulted in an unprecedented global expansion of computer-based criminal activity. The very nature of these attacks is also shifting from traditional cyber crime involving lone hackers targeting monolithic entities to involvement of organized crime groups. In the past hackers may have attacked for fun, notoriety, or to challenge themselves, while financial motivations are major consideration nowadays. Computer criminals have begun deploying advanced distributed techniques, which are increasingly effective and devastating. The aim of this mini-track is to encourage research that provides insights into the issue of cyber crime in the digital economy. The six papers included in this mini-track reflect this goal.

Utilizing normative theories to develop ethical actions for better privacy practices

ABSTRACT This study examines the privacy practices of organizations. We argue that successful deployment of privacy practices based on ethical actions will strengthen privacy protection measures to better protect clients’ PII. We propose a set of ethical actions based on six normative theories following multiple case study approach to study three prominent data breaches. Our analysis indicates that ethical actions based on normative theories can be effective in developing better privacy practices for organizations. The theory that has the strongest effect on privacy practices is the deontological approach, while the liberal-intuitive has the weakest effect on privacy practices.